diff --git a/external/ngtcp2 b/external/ngtcp2
index 026b8434eb..0cc9e1cc8a 160000
--- a/external/ngtcp2
+++ b/external/ngtcp2
@@ -1 +1 @@
-Subproject commit 026b8434ebcbeec48939d1c7671a0a4d5c75202b
+Subproject commit 0cc9e1cc8a6650d3b656cb98cba0edb54040510c
diff --git a/llarp/rpc/rpc_server.cpp b/llarp/rpc/rpc_server.cpp
index 746557f63e..b33c8448e8 100644
--- a/llarp/rpc/rpc_server.cpp
+++ b/llarp/rpc/rpc_server.cpp
@@ -109,6 +109,17 @@ namespace llarp::rpc
       LogInfo("Bound RPC server to ", addr.full_address());
     }
 
+    for (const auto& [address, allowed_keys] : r->GetConfig()->api.m_rpcEncryptedAddresses)
+    {
+      m_LMQ->listen_curve(address.zmq_address(), [allowed_keys = allowed_keys](auto pk, ...) {
+        if (std::find(allowed_keys.begin(), allowed_keys.end(), pk) != allowed_keys.end())
+          return oxenmq::AuthLevel::admin;
+
+        LogInfo("Curve pubkey not found in whitelist");
+        return oxenmq::AuthLevel::denied;
+      });
+    }
+
     AddCategories();
   }